Cisco Application Policy Infrastructure Controller Enterprise Module (Cisco APIC-EM)

TM Cisco Application Policy Infrastructure Controller Enterprise Module (Cisco APIC-EM) Early Field Trial #2 Release Notes Version 0.7.1.3 Corporate Headquarters Cisco 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax : 408 526-4100 These release notes describe the features and caveats for the Cisco Application Policy Infrastructure Controller Enterprise Module (Cisco APIC-EM). 1

Contents Introduction... 4 What s New in Cisco APIC Enterprise Module EFT Release 0.7.1.3... 4 Cisco APIC-EM System Requirements... 5 Supported Platforms and Software Requirements... 5 Supported Platform by Service... 6 Supported Services... 6 Deploying the Cisco APIC-EM... 7 Service Startup and Maintenance Requirements... 7 Features... 8 Discovery... 8 Device Inventory... 8 Host Inventory... 9 Topology... 9 Policy... 9 Quality of Service... 9 Policy Analysis... 10 Cisco APIC-EM Capability Metrics... 10 Caveats... 11 Limitations and Restrictions... 12 General Limitations... 12 Settings... 13 Policy... 13 Permit Policies... 13 2

Deny Policies... 13 Copy Policies... 14 Policy Analysis... 15 ACL Analysis... 15 ACL Trace... 15 QoS... 16 Services... 16 Identity Manager Service... 16 Wireless LAN Controller... 16 Zero Touch Deployment... 16 Documentation Updates... 16 Service and Support... 16 Troubleshooting... 16 Related Documentation... 17 Obtaining Documentation and Submitting a Service Request... 17 3

Introduction The Cisco Application Policy Infrastructure Controller Enterprise Module (Cisco APIC-EM) is a software platform that serves as an interface between network elements in one direction (southbound) and third-party applications in the opposite direction (northbound). Cisco APIC-EM has an architecture that is highly available, scalable, and extensible. Note: Cisco APIC-EM is part of the Cisco Developer Network for ACI (Cisco Application Centric Infrastructure) and developers can use the Cisco developer tools available to build applications for the controller using Northbound REST APIs. What s New in Cisco APIC Enterprise Module EFT Release 0.7.1.3 Support for the following types and numbers of hosts and devices: Host: Up to 250 hosts Routers, Switches, Wireless LAN Controllers (WLC), and Access Points: Up to 100 devices Improved Discovery, Device Inventory and Host UI display and functionality New system notifications support New dashboard support with widgets New Cisco APIC-EM Northbound REST API Javadoc support New Topology features including: Aggregation and disaggregation feature New Topology tag keyword feature New Policy Analysis features including: ACL Analysis ACL Trace Quality of Service support Data services: Data is now persistent and survives controller restarts. 4

Cisco APIC-EM System Requirements Cisco APIC-EM is delivered as preconfigured OVA with the following platform requirements: Server 64-bit x86 vcpu 4 (2.4GHz) RAM 64 Gigabytes Browser Chrome (28.0 or later) Hypervisor VMware vsphere versions 5.1 or higher Storage 100 Gigabytes HDD Network Adapter 1x Web Access Required Supported Platforms and Software Requirements Cisco APIC-EM supports the following Cisco platforms and software releases. Table 1 Device Catalyst 2960-S Series switches Catalyst 3560-X Series switches Catalyst 3560CG Series switches Catalyst 3650 Series switches Catalyst 3750-X Series switches Catalyst 3850 Series switches Supported Cisco APIC-EM Routers, Switches, and Cisco IOS Release Software Release Cisco IOS 15.2(1)E1, 12.2(58)SE2 Cisco IOS 15.2(1)E1, 12.2(58)SE2 Cisco IOS 15.0(2)SE5, 12.2(55)EX3 Cisco IOS XE 3.3.2SE, 3.2.3SE Cisco IOS15.2(1)E1, 12.2(55)SE8 Cisco IOS XE 3.3.2SE, 3.2.3SE Catalyst 4500E (Supervisor Engine 7-E) Series switches Catalyst 6500 (Supervisor Engine 720-3C/B) Series switches Catalyst 6880-X Series switches Nexus 7000 Series switches Cisco IOS XE 3.5(2)E, 3.2(8)SG Cisco IOS 15.1(2)SY2 Cisco IOS 15.1(2)SY2 Cisco NxOS 6.2(6a), 6.1(4a) 5500 Series Wireless LAN Controller Cisco IOS 7.6(110.0), 7.4(121.0) 5760 Wireless LAN Controller Cisco IOS XE 3.3.3SE Integrated Services Routers (ISR) G2 Cisco IOS 15.2(4)M5, 15.1(4)M7 5

Integrated Services Routers (ISR) 4451 ASR 1000 Series Aggregation Services Router Cloud Services Router (CSR)1000V Series Cisco IOS 3.12.0S Cisco IOS XE 3.11(2)S Cisco IOS XE 3.12.0S, 3.10.2S Supported Platform by Service The following platforms are supported by the following Cisco APIC-EM services in this release: Discovery, Inventory, Topology: ISR (1900, 2900, 3900, 4451), ASR 1000, CSR 1000V, 3850, 3750-X, 2960-S, 3560-X, 3650, 3560CG, 4500(7E), 6500 (720), 6880-X, 2960-S (stack), 3750-X (stack), 3850 (stack), Nexus 7000 (Discovery and Inventory only), WLC 5508 (Discovery and Inventory only), WLC 5760 Policy (QoS, ACL, SPAN), Policy Analysis (ACL analysis): 3850, 3750-X, 2960-S, 3560-X, 3650, 3560CG, 4500(7E), 6500 (720), 6880-X, 2960-S (stack), 3750-X (stack), 3850 (stack) Policy Analysis (ACL analysis): ISR(1900,2900,3900, 4451), ASR 1000, CSR 1000V QoS: 3850, 3750-X, 2960-S, 3560-X, 3650, 3560CG, 4500(7E), 6500 (720), 6880-X, 2960-S (stack), 3750-X (stack), 3850 (stack) Supported Services The Cisco APIC-EM creates a Platform as a Service (PaaS) environment for your network. A service in this PaaS environment is a horizontally scalable application that adds instances of itself when increasing loads occur on a virtual machine within the network. The following services are included for this EFT release: keystone reverse-proxy router postgres data-access-service file-service identity-manager-pxgrid-service identity-manager-radius-service inventory-manager-service network-discovery-service network-programmer-service network-tapping-service policy-analysis-service policy-manager-service 6

policy-programmer-service qos-service task-service terminal-service topology-service ui ztd-service Deploying the Cisco APIC-EM To deploy the Cisco APIC-EM, refer to the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 0.7.1.x. Service Startup and Maintenance Requirements Cisco recommends that you confirm that several of its key services are up and running on the first startup of the controller after deployment. You check on the status of the services by using the developer console. Note: The console tools are bundled with the OVA files and installed when you deploy Cisco APIC-EM. You access the console using any of the root VM IP addresses that you entered in step #7, ROOT VM IP ADDRESSES of the configuration wizard procedure as described in the deployment guide (note the port number): http://root-vm-ip-address:14141 After accessing the console, review the list of operational services in the Overview window in the console. Each service is represented by a square. A green colored square represents an active instance of the service, and a red colored square represents a service with a faulty or failed instance. Square without color represents inactive services (no instances initiated and running). You should wait until the Postgres, DAS, and Keystone services are all shown as running (displayed as green squares) in the console before beginning to interact with the controller. 7

Features Specific Cisco APIC-EM features are described in the following sections: Discovery, page 5 Device Inventory, page 6 Host Inventory, page 6 Topology, page 6 Policy, page 7 Quality of Service, page 7 Policy Analysis, page 7 Discovery The Cisco APIC-EM supports a discovery functionality that is used to populate the controller's device and host inventory database. You perform a discovery scan by either entering an IP address range for the network devices and/or by using a seed IP with the Cisco Discovery Protocol (CDP). After running a scan, the Cisco APIC- EM populates its database with the collected data from your network devices and hosts. Device Inventory The Cisco APIC-EM collects the following detailed information from devices within the network: Device status Device name MAC address IP address IOS/Firmware Platform Serial number Up time Configuration Device role Location Tag Last updated time Frequency Number of updates 8

Host Inventory The Cisco APIC-EM collects the following detailed information from hosts within the network: Host name User ID User status MAC address IP address Network attachment point Host type Number of updates Update frequency Topology Cisco APIC-EM supports a graphical view of your network (topology view). The Cisco APIC-EM automatically discovers and maps devices to a physical topology with detailed device level data. In addition, auto-visualization of Layer 2 and 3 topologies on top of the physical topology provides a granular view for design planning and simplified troubleshooting. Policy Cisco APIC-EM supports a policy application that offers the following functionality: Auto-translates business policy into device level network policy for quick and easy enforcement across heterogeneous environments. Allows policy creation with User ID, IP address, and application information for granular network access and control Supports per user application flow mirroring and copying of policies for remote monitoring and troubleshooting. Quality of Service Cisco APIC-EM supports the following quality of service (QoS) features: Uses Cisco Validated Designs (CVD) as core building blocks to automatically map all network applications to different class of services based on RFC 4594 diff serve architecture. Supports a 12 Class model Allows easy customization of policies based on needs and current standards. Supports one click QoS policy deployment and removal. 9

Automatically translates business level requirements into a network level language to enable QoS across heterogeneous environments for quick implementation and to leverage device capabilities to their full potential. Policy Analysis Cisco APIC-EM supports the following policy analysis features: Inspection, interrogation, and analysis of network access control policies. Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas. Enables ACL change management with easy identification of conflicts and shadows. Cisco APIC-EM Capability Metrics Cisco APIC-EM supports the following capabilities: Supported number of hosts 250 Supported number of policies per host 3 Frequency of user mobility on the same device 30 seconds (1 host moves every 30 seconds) When a new policy is added for a user, the controller detects the location and connections for the user in the network (the device and interface behind which the user has connected his laptop or PC) and applies the policy on that device and interface. The controller requires approximately 10 seconds on average to apply a policy and since there is a recommendation of a maximum of 3 policies per user, it takes 30 seconds to apply the 3 policies. Additionally when the user moves from a single location within the network to another location, the device and interface that the user connects to changes and the controller needs to remove the programming from the original device and interface and program the new device and interface behind which the user has now connected. The controller requires a delay of 30 or more seconds for the user to add and remove on the same device. Similarly, this time requirement also applies to a user remove and add combination or a user add and add combination, and any of these three in any order. The key point is that the controller requires a delay of 30 seconds when programming the user adds and removes on the same device. This limitation does not apply when users are behind different devices. Support for flapping (user addition and removal that occurs very rapidly, in the order of milliseconds) No support Frequency of multiple of hosts joining the network on same device 9 seconds (1 host moves every 9 seconds) If multiple hosts join a device, the controller requires at least a 9 seconds gap between each host joining. Time between hosts joining the system (lag) on same device 30 seconds Time interval between the controller configuring two policies on same device 10 seconds 10

Time used for the controller to configure devices 10 seconds (for 1 policy, 1 device, and 1 application) Total number of devices that you can configure a policy on 100 Total number of policies in the system 1000 Applications per single policy 5 recommended, but this is not the maximum. Number of ports per application 3 Controller time limitation for after discovery, but before starting policy analysis services 40 seconds For Policy Analysis applications such as ACL Trace, the time it takes for the controller to update its database of routing and switching information after the protocols reach convergence on the network Less than three minutes. Controller time to configure a policy end-to-end on 1 port 100 milliseconds. Note: The above listed capabilities are only recommendations. There are no set limits within the controller to prevent users from exceeding the above recommendations. Caveats CSCuq48350 Issue: If you encounter the following error when trying to log into the Cisco APIC-EM UI: An unexpected error prevented the server from fulfilling your request. (OperationalError) could not connect to server: Connection refused Is the server running on host 192.168.17.24 and accepting TCP/IP connections on port 5432? Then proceed to wait 5 minutes to ensure that all of the Cisco APIC-EM services are up and running. Note: Use the developer console to monitor the current state of the services. If after the 5 minute time interval, you still encounter the same error message when logging in, then perform the following steps: Step 1: Log into the Root VM. Step 2: Run the following command: reset_grapevine Step 3: When prompted, enter y (Yes) to Harvest all Virtual Machines. Step 4: When prompted, enter n (No) to Harvest all Virtual Disks. At this point, the reset_grapevine command proceeds to harvest all Cisco APIC-EM virtual machines and then re-grow the Cisco APIC-EM services. If after regrowing the services, you still encounter same error, perform the same 4 steps above, but in step #4 above, enter y to Harvest all Virtual Disks. Note: You lose all APIC-EM data at this point. If you do not care about the data to begin with, then you can immediately choose y to Harvest all Virtual Disks in the first attempt at running the reset_grapevine command. 11

CSCuq55661 Issue: The 5760 Wireless LAN Controller is a supported platform and is discovered as any other IOS device, but APs and wireless clients associated to the device are neither discovered nor added to the device inventory and host inventory tables. Workaround: There is no workaround at this time. Limitations and Restrictions Cisco APIC-EM features are described in the following sections: General Limitations, page 8 Settings, page 9 Policy, page 9 Policy Analysis, page 11 QoS, page 12 Services, page 12 Wireless LAN Controller, page 12 Zero Touch Deployment, page 12 General Limitations The Cisco APIC-EM supports the following number of devices and hosts without any degradation in service: Devices (routers, switches, wireless controllers, and access points): 100 Hosts: 250 During the Cisco APIC-EM deployment procedure, the vsphere username and password are stored as clear text on the Cisco APIC-EM root virtual machine. The Cisco APIC-EM supports both extended and standard IP ACLs. The controller configures policies from the northbound using only extended ACLs (IP). The controller reads both extended and standard ACLs (IP) from the southbound. Port channels are not supported by the Cisco APIC-EM. The controller treats physical ports in a port channel configuration as individual ports. The web GUI may take a few seconds to begin after the controller is started. If your Device Inventory consists of more than one page, location and tag deletion does not work. The workaround for this issue is to refresh the page. Multi-Instance Support For this release, the Cisco APIC-EM is set up for automatic updates. During an automatic update, there is multi-instance service support to ensure that no downtime occurs for the controller. There 12

is currently a known issue that there might be a period of 5 to 10 minutes during a Postgres service upgrade when certain issues may occur. Note: Postgres service upgrades occur infrequently. Spinning up multiple instances of services manually and running for an extended period has not been tested and is not supported for this release. Settings For configuring the Cisco APIC-EM for a RADIUS server environment, switches performing 802.1X authentication must point to the Cisco APIC-EM as the RADIUS server. You must configure the switch to recognize the Cisco APIC-EM IP as the actual RADIUS server. Refer to your switch documentation for information about configuring a RADIUS server. For configuring Cisco APIC-EM for LDAP, note that only Cisco LDAP servers have been tested for this supported functionality. With this Cisco APIC-EM release, the controller does not access any user identity information from the Active Directory. The utility of configuring LDAP credentials on the controller for this release is to retrieve data about the user-groups to which a given user is associated with. This data is displayed in the Host Inventory, but is not used by the Policy framework (for application of usergroups based policies, etc.). Policy Policy is only supported for wired hosts and not wireless hosts for this release. Cisco APIC-EM policy operates on a white-list model. When a policy is applied to an interface, all unmatched traffic is automatically denied unless explicitly permitted by policy rules. The sequence of policy programming using the controller is important. If a different order of policies is required, then all relevant policies must first be deleted and then added again to the controller within the desired order. To update parameters within a policy, you need to first delete the policy from the controller and then create a new policy containing the updated parameters. After first using the controller to discover existing ACLs and policies on the network, when a user then begins to program policies using the controller, all south-bound discovery of ACLs on network switches configured by the user stops. Permit Policies The Permit action for a policy is only supported on access layer switches at this time. Deny Policies The Deny action for a policy is only supported on access layer switches at this time. 13

Copy Policies The Copy action for a policy is only supported between hosts. The Copy action for a policy is only supported on access layer switches at this time. Preexisting SPAN configurations on network devices are not discoverable by the controller. To avoid any conflicting SPAN configurations, you should ensure that there are no preexisting SPAN configurations on the network devices that you apply a policy with a Copy action to. Copy policy for RSPAN and FRSPAN are not supported for a VTP configuration. Copy policy does not support an interface with 'switchport mode access' specified in the path. After successfully applying a copy policy from a source to destination host, the interface directly connected to that destination host only allows ingress traffic which leads to a loss of connectivity due to the SPAN or RSPAN feature. The following copy policies are supported for the following devices for this release. Table 2 Supported Copy Policies for Catalyst Switches Catalyst Platform License SPAN FSPAN RSPAN FRSPAN Maximum Source Session Number Maximum RSPAN Destinatio n Session Number (Missing) 2960-S LAN Base Yes No Yes No 2 64 66 3560-X IP Base Yes Yes Yes Yes 2 64 66 3560-X IP Service Yes Yes Yes Yes 2 64 66 3560-CG IP Base Yes Yes Yes Yes 2 64 66 3560-CG IP Service Yes Yes Yes Yes 2 64 66 3650 IP Base Yes Yes Yes Yes 2 64 66 3650 IP Service Yes Yes Yes Yes 2 64 66 3750-X IP Base Yes Yes Yes Yes 2 64 66 3750-X IP Service Yes Yes Yes Yes 2 64 66 3850 IP Base Yes Yes Yes Yes 2 64 66 3850 IP Service Yes Yes Yes Yes 2 64 66 4507R IP Base Yes Yes Yes Yes 2 8 16 4507R Enterprise Services Yes Yes Yes Yes 2 8 16 Maximu m Total Session Number (Missing) 14

4510R IP Base Yes Yes Yes Yes 2 8 16 4510R Enterprise Services Yes Yes Yes Yes 2 8 16 6503-E Any Yes No Yes No 2 64 80 6504-E Any Yes No Yes No 2 64 80 6506-E Any Yes No Yes No 2 64 80 6509-E Any Yes No Yes No 2 64 80 6513-E Any Yes No Yes No 2 64 80 6880-X Any Yes No Yes No 2 64 80 Policy Analysis After first using the controller to discover existing ACLs and policies on the network, when a user then begins to program policies using the controller, all south-bound discovery of ACLs on network switches configured by the user stops. When more than one port value is given to eq argument in an ACE, then the ACL parser divides it into multiple ACEs. While the analysis will be semantically correct, the results will not directly match the original ACL. For example: 10 permit tcp any any eq 10 20 30 20 permit tcp any any eq 50 Will be shown as the following: 10 permit tcp any any eq 10 11 permit tcp any any eq 20 12 permit tcp any any eq 30 20 permit tcp any any eq 50 ACL Analysis There is an implicit deny ip any any ACE command configuration for the ACL analysis. ACL Trace ACL trace is currently only supported between wired hosts. If multiple paths exist between source and destination host, the ACL trace may be inaccurate. For an ACL trace, the supported protocols for switching and routing include the following: STP OSPF IS-IS Static Routes 15

VLANs QoS QoS provisioning may take a significant amount of time, depending upon the number of applications selected for the QoS map and the number of network devices within that scope. WAN edges for a branch router cannot be identified, hence the QoS application does not program ingress and egress policies. This support will be added in future release. Services Identity Manager Service The Identity Manager Service only supports 802.1X authentication. Other authentication methods, such as MAC authentication bypass (MAB) are not supported. For the Identity Manager RADIUS service, the authentication port is set to 1812 and the accounting port is set to 1813. Any switches configured for the Cisco APIC-EM RADIUS server environment, also need to reflect these port settings. Wireless LAN Controller Wireless LAN Controller (WLC) and APs are supported for discovery, inventory, and topology for this release. The 5760 Wireless LAN Controller is a supported platform and is discovered as any other IOS device, but APs and wireless clients associated to the device are neither discovered nor added to device inventory and host inventory tables. Zero Touch Deployment The Zero Touch Deployment application has not been enabled for this release. Documentation Updates There are no documentation updates for this release. Service and Support Troubleshooting Refer to the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 0.7.1.x for additional supported troubleshooting procedures. 16

Related Documentation Documentation Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 0.7.1.x Cisco Application Policy Infrastructure Controller Enterprise Module Configuration Guide, Release 0.7.1.x Cisco Validated Designs documents Description Refer to this guide for information about the Cisco APIC-EM itself, including information regarding deployment, verification, setting configurations, and troubleshooting. Refer to this guide for information about managing and monitoring any connected devices and hosts, as well as applying supported polices and applications to your network. Access this URL: http://www.cisco.com/go/designzone Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html. Subscribe to What s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service. This document is to be used in conjunction with the documents listed in the Related Documentation section. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. 2014 Cisco Systems, Inc. All rights reserved. 17

18